private static String getHashAlgorithm(MacAlgorithm macAlgorithm) { if (null == macAlgorithm) { throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName())); } else switch (macAlgorithm) { case SSLMAC_MD5: return "MD5"; case SSLMAC_SHA1: return "SHA-1"; default: throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName())); } }
private int getMacKeySize() { return AlgorithmResolver.getMacAlgorithm(version, suite).getKeySize(); }
/** * * @param suite * @param version * @return */ @Override public List<Record> getRecords(CipherSuite suite, ProtocolVersion version) { int blockSize = AlgorithmResolver.getCipher(suite).getBlocksize(); int macSize = AlgorithmResolver.getMacAlgorithm(version, suite).getSize(); List<Record> recordList = new LinkedList<>(); recordList.addAll(createRecordsWithModifiedMac()); recordList.addAll(createRecordsWithModifiedPadding()); recordList.addAll(createRecordsWithPlainData(blockSize, macSize)); return recordList; }
public static byte[] generateHMAC(MacAlgorithm macAlgorithm, byte[] plaintext, byte[] key) throws CryptoException { byte[] result = new byte[0]; try { Mac mac = Mac.getInstance(macAlgorithm.getJavaName()); SecretKeySpec macKey = new SecretKeySpec(key, macAlgorithm.getJavaName()); mac.init(macKey); result = mac.doFinal(plaintext); } catch (InvalidKeyException | NoSuchAlgorithmException ex) { LOGGER.warn("Encountered exception while generating the HMAC " + macAlgorithm.name() + " of an encryptedState."); LOGGER.debug(ex); throw new CryptoException("Error while HMAC generation. See Debug-Log for more Information."); } return result; }
/** * From RFC-6101: pad_2: The character 0x5c repeated 48 times for MD5 or 40 * times for SHA. * * @param macAlgorithm * The macalgorithm to use * @return pad_2 */ public static byte[] getPad2(MacAlgorithm macAlgorithm) { if (null == macAlgorithm) { throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName())); } else switch (macAlgorithm) { case SSLMAC_MD5: return MD5_PAD2; case SSLMAC_SHA1: return SHA_PAD2; default: throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName())); } }
private List<Record> getMacFlippedRecords(CipherSuite suite, ProtocolVersion version) { List<Record> recordList = new LinkedList<>(); int macSize = AlgorithmResolver.getMacAlgorithm(version, suite).getSize(); List<ByteArrayXorModification> allBitFlipModifications = getAllBitFlipModifications(macSize); for (ByteArrayXorModification modification : allBitFlipModifications) { Record r = new Record(); r.prepareComputations(); ModifiableByteArray modMac = new ModifiableByteArray(); modMac.setModification(modification); r.getComputations().setMac(modMac); recordList.add(r); } return recordList; }
private static int getBlockSecretSetSize(ProtocolVersion protocolVersion, CipherSuite cipherSuite) { CipherAlgorithm cipherAlg = AlgorithmResolver.getCipher(cipherSuite); int keySize = cipherAlg.getKeySize(); MacAlgorithm macAlg = AlgorithmResolver.getMacAlgorithm(protocolVersion, cipherSuite); int secretSetSize = (2 * keySize) + (2 * macAlg.getKeySize()); if (!protocolVersion.usesExplicitIv()) { secretSetSize += (2 * cipherAlg.getNonceBytesFromHandshake()); } return secretSetSize; }
/** * From RFC-6101: * * pad_1: The character 0x36 repeated 48 times for MD5 or 40 times for SHA. * * @param macAlgorithm * The macAlgorithm to use * @return the pad_1 */ public static byte[] getPad1(MacAlgorithm macAlgorithm) { if (null == macAlgorithm) { throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName())); } else switch (macAlgorithm) { case SSLMAC_MD5: return MD5_PAD1; case SSLMAC_SHA1: return SHA_PAD1; default: throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName())); } }
private List<Record> getMacFlippedRecords(CipherSuite suite, ProtocolVersion version) { List<Record> recordList = new LinkedList<>(); int macSize = AlgorithmResolver.getMacAlgorithm(version, suite).getSize(); List<ByteArrayXorModification> allBitFlipModifications = getAllBitFlipModifications(macSize); for (ByteArrayXorModification modification : allBitFlipModifications) { Record r = new Record(); r.prepareComputations(); ModifiableByteArray modMac = new ModifiableByteArray(); modMac.setModification(modification); r.getComputations().setMac(modMac); recordList.add(r); } return recordList; }
private static int getStreamSecretSetSize(ProtocolVersion protocolVersion, CipherSuite cipherSuite) { CipherAlgorithm cipherAlg = AlgorithmResolver.getCipher(cipherSuite); MacAlgorithm macAlg = AlgorithmResolver.getMacAlgorithm(protocolVersion, cipherSuite); int secretSetSize = (2 * cipherAlg.getKeySize()) + (2 * macAlg.getKeySize()); if (cipherSuite.isSteamCipherWithIV()) { secretSetSize += (2 * cipherAlg.getNonceBytesFromHandshake()); } return secretSetSize; }
/** * Computes HKDF-Extract output as defined in RFC 5869 * * @param hkdfAlgortihm * The HKDFAlgorithm * @param salt * The Salt * @param ikm * The IKM * @return The HKDF-Extracted ouput * @throws de.rub.nds.tlsattacker.core.exceptions.CryptoException */ public static byte[] extract(HKDFAlgorithm hkdfAlgortihm, byte[] salt, byte[] ikm) throws CryptoException { try { Mac mac = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()); if (salt == null || salt.length == 0) { salt = new byte[mac.getMacLength()]; Arrays.fill(salt, (byte) 0); } SecretKeySpec keySpec = new SecretKeySpec(salt, hkdfAlgortihm.getMacAlgorithm().getJavaName()); mac.init(keySpec); mac.update(ikm); return mac.doFinal(); } catch (NoSuchAlgorithmException | InvalidKeyException ex) { throw new CryptoException(ex); } }
private List<Record> getPaddingFlippedRecords(CipherSuite suite, ProtocolVersion version) { List<Record> recordList = new LinkedList<>(); int blockSize = AlgorithmResolver.getCipher(suite).getBlocksize(); int macSize = AlgorithmResolver.getMacAlgorithm(version, suite).getSize(); for (int paddingLength = 0; paddingLength < 256; paddingLength++) { int messageSize = blockSize - ((paddingLength + macSize) % blockSize); byte[] message = new byte[messageSize]; byte[][] paddings = getModifiedPaddings(paddingLength); for (byte[] padding : paddings) { Record r = new Record(); r.prepareComputations(); ModifiableByteArray modPadding = new ModifiableByteArray(); modPadding.setModification(new ByteArrayExplicitValueModification(padding)); r.getComputations().setPadding(modPadding); ModifiableByteArray modMessage = new ModifiableByteArray(); modMessage.setModification(new ByteArrayExplicitValueModification(message)); r.setCleanProtocolMessageBytes(message); recordList.add(r); } } return recordList; }
throws CryptoException { try { Mac mac = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()); SecretKeySpec keySpec = new SecretKeySpec(prk, hkdfAlgortihm.getMacAlgorithm().getJavaName()); mac.init(keySpec); ByteArrayOutputStream stream = new ByteArrayOutputStream();
private List<Record> getPaddingFlippedRecords(CipherSuite suite, ProtocolVersion version) { List<Record> recordList = new LinkedList<>(); int blockSize = AlgorithmResolver.getCipher(suite).getBlocksize(); int macSize = AlgorithmResolver.getMacAlgorithm(version, suite).getSize(); for (int paddingLength = 0; paddingLength < 256; paddingLength++) { int messageSize = blockSize - ((paddingLength + macSize) % blockSize); byte[] message = new byte[messageSize]; byte[][] paddings = getModifiedPaddings(paddingLength); for (byte[] padding : paddings) { Record r = new Record(); r.prepareComputations(); ModifiableByteArray modPadding = new ModifiableByteArray(); modPadding.setModification(new ByteArrayExplicitValueModification(padding)); r.getComputations().setPadding(modPadding); ModifiableByteArray modMessage = new ModifiableByteArray(); modMessage.setModification(new ByteArrayExplicitValueModification(message)); r.setCleanProtocolMessageBytes(message); recordList.add(r); } } return recordList; }
/** * Computes Derive-Secret output as defined in TLS 1.3 * * @param hkdfAlgortihm * The HKDF Algorithm * @param hashAlgorithm * The Hash Algorithm * @param prk * The prk * @param labelIn * The labelinput * @param toHash * The data to hash * @return The derivedSecret * @throws de.rub.nds.tlsattacker.core.exceptions.CryptoException */ public static byte[] deriveSecret(HKDFAlgorithm hkdfAlgortihm, String hashAlgorithm, byte[] prk, String labelIn, byte[] toHash) throws CryptoException { try { MessageDigest hashFunction = MessageDigest.getInstance(hashAlgorithm); hashFunction.update(toHash); byte[] hashValue = hashFunction.digest(); int outLen = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()).getMacLength(); return expandLabel(hkdfAlgortihm, prk, labelIn, hashValue, outLen); } catch (NoSuchAlgorithmException ex) { throw new CryptoException("Could not initialize HKDF", ex); } }
return outerHash; } catch (NoSuchAlgorithmException e) { throw new IllegalArgumentException(ILLEGAL_MAC_ALGORITHM.format(macAlgorithm.getJavaName()));
case TLS_PRF_GOSTR3411: case TLS_PRF_GOSTR3411_2012_256: return computeTls12(secret, label, seed, size, prfAlgorithm.getMacAlgorithm().getJavaName()); case TLS_PRF_LEGACY:
private void prepareBinderValue() { try { HKDFAlgorithm hkdfAlgortihm = AlgorithmResolver.getHKDFAlgorithm(pskBinder.getBinderCipherConfig()); int macLen = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()).getMacLength(); pskBinder.setBinderEntry(new byte[macLen]); pskBinder.setBinderEntryLength(pskBinder.getBinderEntry().getValue().length); } catch (NoSuchAlgorithmException ex) { LOGGER.warn(ex); } }
try { HKDFAlgorithm hkdfAlgortihm = AlgorithmResolver.getHKDFAlgorithm(pskSets.get(x).getCipherSuite()); Mac mac = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()); DigestAlgorithm digestAlgo = AlgorithmResolver.getDigestAlgorithm(ProtocolVersion.TLS13, pskSets.get(x) .getCipherSuite());
private byte[] derivePsk(NewSessionTicketMessage message) { try { LOGGER.debug("Deriving PSK from current session"); HKDFAlgorithm hkdfAlgortihm = AlgorithmResolver.getHKDFAlgorithm(tlsContext.getChooser() .getSelectedCipherSuite()); DigestAlgorithm digestAlgo = AlgorithmResolver.getDigestAlgorithm(tlsContext.getChooser() .getSelectedProtocolVersion(), tlsContext.getChooser().getSelectedCipherSuite()); int macLength = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()).getMacLength(); byte[] resumptionMasterSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(), tlsContext.getMasterSecret(), HKDFunction.RESUMPTION_MASTER_SECRET, tlsContext.getDigest() .getRawBytes()); LOGGER.debug("Derived ResumptionMasterSecret: " + ArrayConverter.bytesToHexString(resumptionMasterSecret)); byte[] psk = HKDFunction.expandLabel(hkdfAlgortihm, resumptionMasterSecret, HKDFunction.RESUMPTION, message .getTicket().getTicketNonce().getValue(), macLength); LOGGER.debug("Derived PSK: " + ArrayConverter.bytesToHexString(psk)); return psk; } catch (NoSuchAlgorithmException | CryptoException ex) { LOGGER.error("DigestAlgorithm for psk derivation unknown"); throw new WorkflowExecutionException(ex.toString()); } }